普通文本  |  315行  |  11.19 KB

# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2006 Red Hat 
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#

import unittest
import sepolgen.refpolicy as refpolicy
import sepolgen.access as access
import selinux

class TestIdSet(unittest.TestCase):
    def test_set_to_str(self):
        s = refpolicy.IdSet(["read", "write", "getattr"])
        s = s.to_space_str().split(' ')
        s.sort()
        expected = "{ read write getattr }".split(' ')
        expected.sort()
        self.assertEqual(s, expected)
        s = refpolicy.IdSet()
        s.add("read")
        self.assertEqual(s.to_space_str(), "read")

class TestXpermSet(unittest.TestCase):
    def test_init(self):
        """ Test that all atttributes are correctly initialized. """
        s1 = refpolicy.XpermSet()
        self.assertEqual(s1.complement, False)
        self.assertEqual(s1.ranges, [])

        s2 = refpolicy.XpermSet(True)
        self.assertEqual(s2.complement, True)
        self.assertEqual(s2.ranges, [])

    def test_normalize_ranges(self):
        """ Test that ranges that are overlapping or neighboring are correctly
            merged into one range. """
        s = refpolicy.XpermSet()
        s.ranges = [(1, 7), (5, 10), (100, 110), (102, 107), (200, 205),
            (205, 210), (300, 305), (306, 310), (400, 405), (407, 410),
            (500, 502), (504, 508), (500, 510)]
        s._XpermSet__normalize_ranges()

        i = 0
        r = list(sorted(s.ranges))
        while i < len(r) - 1:
            # check that range low bound is less than equal than the upper bound
            self.assertLessEqual(r[i][0], r[i][1])
            # check that two ranges are not overlapping or neighboring
            self.assertGreater(r[i + 1][0] - r[i][1], 1)
            i += 1

    def test_add(self):
        """ Test adding new values or ranges to the set. """
        s = refpolicy.XpermSet()
        s.add(1, 7)
        s.add(5, 10)
        s.add(42)
        self.assertEqual(s.ranges, [(1,10), (42,42)])

    def test_extend(self):
        """ Test adding ranges from another XpermSet object. """
        a = refpolicy.XpermSet()
        a.add(1, 7)

        b = refpolicy.XpermSet()
        b.add(5, 10)

        a.extend(b)
        self.assertEqual(a.ranges, [(1,10)])

    def test_to_string(self):
        """ Test printing the values to a string. """
        a = refpolicy.XpermSet()
        a.complement = False
        self.assertEqual(a.to_string(), "")
        a.complement = True
        self.assertEqual(a.to_string(), "")
        a.add(1234)
        self.assertEqual(a.to_string(), "~ 1234")
        a.complement = False
        self.assertEqual(a.to_string(), "1234")
        a.add(2345)
        self.assertEqual(a.to_string(), "{ 1234 2345 }")
        a.complement = True
        self.assertEqual(a.to_string(), "~ { 1234 2345 }")
        a.add(42,64)
        self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
        a.complement = False
        self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")

class TestSecurityContext(unittest.TestCase):
    def test_init(self):
        sc = refpolicy.SecurityContext()
        sc = refpolicy.SecurityContext("user_u:object_r:foo_t")
    
    def test_from_string(self):
        context = "user_u:object_r:foo_t"
        sc = refpolicy.SecurityContext()
        sc.from_string(context)
        self.assertEqual(sc.user, "user_u")
        self.assertEqual(sc.role, "object_r")
        self.assertEqual(sc.type, "foo_t")
        self.assertEqual(sc.level, None)
        if selinux.is_selinux_mls_enabled():
            self.assertEqual(str(sc), context + ":s0")
        else:
            self.assertEqual(str(sc), context)
        self.assertEqual(sc.to_string(default_level="s1"), context + ":s1")

        context = "user_u:object_r:foo_t:s0-s0:c0-c255"
        sc = refpolicy.SecurityContext()
        sc.from_string(context)
        self.assertEqual(sc.user, "user_u")
        self.assertEqual(sc.role, "object_r")
        self.assertEqual(sc.type, "foo_t")
        self.assertEqual(sc.level, "s0-s0:c0-c255")
        self.assertEqual(str(sc), context)
        self.assertEqual(sc.to_string(), context)

        sc = refpolicy.SecurityContext()
        self.assertRaises(ValueError, sc.from_string, "abc")

    def test_equal(self):
        sc1 = refpolicy.SecurityContext("user_u:object_r:foo_t")
        sc2 = refpolicy.SecurityContext("user_u:object_r:foo_t")
        sc3 = refpolicy.SecurityContext("user_u:object_r:foo_t:s0")
        sc4 = refpolicy.SecurityContext("user_u:object_r:bar_t")

        self.assertEqual(sc1, sc2)
        self.assertNotEqual(sc1, sc3)
        self.assertNotEqual(sc1, sc4)

class TestObjecClass(unittest.TestCase):
    def test_init(self):
        o = refpolicy.ObjectClass(name="file")
        self.assertEqual(o.name, "file")
        self.assertTrue(isinstance(o.perms, set))

class TestAVRule(unittest.TestCase):
    def test_init(self):
        a = refpolicy.AVRule()
        self.assertEqual(a.rule_type, a.ALLOW)
        self.assertTrue(isinstance(a.src_types, set))
        self.assertTrue(isinstance(a.tgt_types, set))
        self.assertTrue(isinstance(a.obj_classes, set))
        self.assertTrue(isinstance(a.perms, set))

    def test_to_string(self):
        a = refpolicy.AVRule()
        a.src_types.add("foo_t")
        a.tgt_types.add("bar_t")
        a.obj_classes.add("file")
        a.perms.add("read")
        self.assertEqual(a.to_string(), "allow foo_t bar_t:file read;")

        a.rule_type = a.DONTAUDIT
        a.src_types.add("user_t")
        a.tgt_types.add("user_home_t")
        a.obj_classes.add("lnk_file")
        a.perms.add("write")
        # This test might need to go because set ordering is not guaranteed
        a = a.to_string().split(' ')
        a.sort()
        b = "dontaudit { foo_t user_t } { user_home_t bar_t }:{ lnk_file file } { read write };".split(' ')
        b.sort()
        self.assertEqual(a, b)

class TestAVExtRule(unittest.TestCase):
    def test_init(self):
        """ Test initialization of attributes """
        a = refpolicy.AVExtRule()
        self.assertEqual(a.rule_type, a.ALLOWXPERM)
        self.assertIsInstance(a.src_types, set)
        self.assertIsInstance(a.tgt_types, set)
        self.assertIsInstance(a.obj_classes, set)
        self.assertIsNone(a.operation)
        self.assertIsInstance(a.xperms, refpolicy.XpermSet)

    def test_rule_type_str(self):
        """ Test strings returned by __rule_type_str() """
        a = refpolicy.AVExtRule()
        self.assertEqual(a._AVExtRule__rule_type_str(), "allowxperm")
        a.rule_type = a.ALLOWXPERM
        self.assertEqual(a._AVExtRule__rule_type_str(), "allowxperm")
        a.rule_type = a.DONTAUDITXPERM
        self.assertEqual(a._AVExtRule__rule_type_str(), "dontauditxperm")
        a.rule_type = a.NEVERALLOWXPERM
        self.assertEqual(a._AVExtRule__rule_type_str(), "neverallowxperm")
        a.rule_type = a.AUDITALLOWXPERM
        self.assertEqual(a._AVExtRule__rule_type_str(), "auditallowxperm")
        a.rule_type = 42
        self.assertIsNone(a._AVExtRule__rule_type_str())

    def test_from_av(self):
        """ Test creating the rule from an access vector. """
        av = access.AccessVector(["foo", "bar", "file", "ioctl"])
        xp = refpolicy.XpermSet()
        av.xperms = { "ioctl": xp }

        a = refpolicy.AVExtRule()

        a.from_av(av, "ioctl")
        self.assertEqual(a.src_types, {"foo"})
        self.assertEqual(a.tgt_types, {"bar"})
        self.assertEqual(a.obj_classes, {"file"})
        self.assertEqual(a.operation, "ioctl")
        self.assertIs(a.xperms, xp)

    def test_from_av_self(self):
        """ Test creating the rule from an access vector that has same
            source and target context. """
        av = access.AccessVector(["foo", "foo", "file", "ioctl"])
        xp = refpolicy.XpermSet()
        av.xperms = { "ioctl": xp }

        a = refpolicy.AVExtRule()

        a.from_av(av, "ioctl")
        self.assertEqual(a.src_types, {"foo"})
        self.assertEqual(a.tgt_types, {"self"})
        self.assertEqual(a.obj_classes, {"file"})
        self.assertEqual(a.operation, "ioctl")
        self.assertIs(a.xperms, xp)

    def test_to_string(self):
        """ Test printing the rule to a string. """
        a = refpolicy.AVExtRule()
        a._AVExtRule__rule_type_str = lambda: "first"
        a.src_types.to_space_str = lambda: "second"
        a.tgt_types.to_space_str = lambda: "third"
        a.obj_classes.to_space_str = lambda: "fourth"
        a.operation = "fifth"
        a.xperms.to_string = lambda: "seventh"

        self.assertEqual(a.to_string(),
                         "first second third:fourth fifth seventh;")

class TestTypeRule(unittest.TestCase):
    def test_init(self):
        a = refpolicy.TypeRule()
        self.assertEqual(a.rule_type, a.TYPE_TRANSITION)
        self.assertTrue(isinstance(a.src_types, set))
        self.assertTrue(isinstance(a.tgt_types, set))
        self.assertTrue(isinstance(a.obj_classes, set))
        self.assertEqual(a.dest_type, "")

    def test_to_string(self):
        a = refpolicy.TypeRule()
        a.src_types.add("foo_t")
        a.tgt_types.add("bar_exec_t")
        a.obj_classes.add("process")
        a.dest_type = "bar_t"
        self.assertEqual(a.to_string(), "type_transition foo_t bar_exec_t:process bar_t;")


class TestParseNode(unittest.TestCase):
    def test_walktree(self):
        # Construct a small tree
        h = refpolicy.Headers()
        a = refpolicy.AVRule()
        a.src_types.add("foo_t")
        a.tgt_types.add("bar_t")
        a.obj_classes.add("file")
        a.perms.add("read")

        ifcall = refpolicy.InterfaceCall(ifname="allow_foobar")
        ifcall.args.append("foo_t")
        ifcall.args.append("{ file dir }")

        i = refpolicy.Interface(name="foo")
        i.children.append(a)
        i.children.append(ifcall)
        h.children.append(i)

        a = refpolicy.AVRule()
        a.rule_type = a.DONTAUDIT
        a.src_types.add("user_t")
        a.tgt_types.add("user_home_t")
        a.obj_classes.add("lnk_file")
        a.perms.add("write")
        i = refpolicy.Interface(name="bar")
        i.children.append(a)
        h.children.append(i)

class TestHeaders(unittest.TestCase):
    def test_iter(self):
        h = refpolicy.Headers()
        h.children.append(refpolicy.Interface(name="foo"))
        h.children.append(refpolicy.Interface(name="bar"))
        h.children.append(refpolicy.ClassMap("file", "read write"))
        i = 0
        for node in h:
            i += 1
        self.assertEqual(i, 3)
        
        i = 0
        for node in h.interfaces():
            i += 1
        self.assertEqual(i, 2)